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CCNA Security Lab 12 - Catalyst Switch STP and DTP Security - CLI 

Lab 12 

Catalyst Switch STP and DTP Security 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how enable 
other Catalyst switch security features that can be used in conjunction with STP 
and DTP. 

Lab Purpose: 

While there are a plethora of security features that can be configured on 
Catalyst switches, it is important to understand and have practical knowledge of 
those that pertain to the CCNA Security course and how they are implemented and 
validated. 

Lab Difficulty: 

This lab has a difficulty rating of 7/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use any single switch to complete this lab: 



This lab is based on a Cisco Catalyst switch with 24-10/100 FastEthernet ports and 2-1000Mbs 
GigabitEthernet ports. If you do NOT have a similar switch, substitute the port numbers or port ranges 
used in this lab with those available on your switch. For example, if you only have 12-10/100 
FastEthernet ports and a Task refers to Ports 1-24, simply adjust the question to Ports 1-12 so that 
you can complete the lab on your switch. In a similar manner, if a Task asks for configuration on the 
GigabitEthernet ports, and you only have a 12-port 10/100 FastEthernet switch, simply substitute 
GigabitEthernetO/1 and GigabitEthernetO/2 with FastEthernetO/11 and FastEthernetO/12, for example. 





Lab 12 Configuration Tasks 
Task 1: 

Configure the hostname on Swl as illustrated in the diagram. In addition to this configure the following 
VLANs on Swl and assign the ports specified to those VLANs: 

VLAN Number VLAN Name VLAN Ports 

100 CATALYST_VLAN_100 FastEthernetO/1 - FastEthernetO/9 

200 CATALYST_VLAN_200 FastEthernet0/10 - FastEthernetO/19 

Task 2: 

Configure all ports in VLAN 100 as static Access ports that also use Port Fast. These ports will always be 
connected to end hosts (i.e. PCs), therefore, configure these ports so that if a BPDU is received, the 
ports will be immediately shut down. 

Task 3: 

Configure all ports in VLAN 200 as static Access ports that also use Port Fast. These ports will also be 
connected to end hosts (i.e. PCs); however, Swl should never send BPDUs on these ports, as is the 
default behavior of all switches. 

Task 4: 

Ports FastEthernet0/20 to FastEthernetO/24 are currently not being used and should be shut down. 
However, in order to prevent an STP topology change in the event that someone plugs in a switch with 
superior BPDUs on any one of these ports and brings them up, configure these ports so that the 
placement of the root bridge in the network is not changed. 

Task 5: 

Configure the GigabitEthernetO/1 and GigabitEthernetO/2 interfaces of Swl as Trunk ports that will never 
use the Dynamic Trunking Protocol. 


Lab 12 Configuration and Verification 
Task 1: 

Switch(config)#hostname Swl 
Swl(config)#vlan 100 

Sw 1 (config-vian)# name CATALYST_VLAN_100 

Swl(config-vlan)#exit 
Swl(config)#vlan 200 

Sw 1 (config-vian)# name CATALYST_VLAN_200 

Sw l(co nfig-via n)#exit 

Swl(config)#interface range fast 0/1-9 

Swl(config-if-range)#switchport access vlan 100 

Swl(config-if-range)#exit 

Swl(config)#interface range fast 0/10 - 19 

Swl(config-if-range)#switchport access vlan 200 

Swl(config-if-range)#exit 

Swl(config)#exit 



Swl# 


Swl#show vlan brief 


VLAN Name Status Ports 


1 default 


100 CATALYST_VLAN_100 


200 CATALYST_VLAN_200 


1002 fddi-default 

1003 trcrf-default 

1004 fddinet-default 

1005 trbrf-default 

Task 2: 


active Fa0/20, Fa0/21, Fa0/22, Fa0/23 
Fa 0/24, Gi0/1, GiO/2 
active Fa0/1, Fa0/2, Fa0/3, Fa0/4 

Fa0/5, Fa0/6, Fa0/7, Fa0/8 
Fa 0/9 

active Fa0/10, FaO/11, FaO/12, Fa0/13 
Fa0/14, Fa0/15, FaO/16, FaO/17 
FaO/18, Fa0/19 

active 

active 

active 

active 


Swl(config)#spanning-tree portfast bpduguard default 
Swl(config)#interface range fast 0/1-9 

Swl(config-if-range)#switchport mode access 
Swl(config-if-range)#spanning-tree portfast 

%Warning: portfast should only be enabled on ports connected to a single 
host. Connecting hubs, concentrators, switches, bridges, etc... to this 
interface when portfast is enabled, can cause temporary bridging loops. 
Use with CAUTION 


%Portfast will be configured in 9 interfaces due to the range command 
but will only have effect when the interfaces are in a non-trunking mode. 

Swl(config-if-range)#spanning-tree bpduguard enable 

Swl(config-if-range)#exit 

Swl(config)#exit 

Swl# 

Swl#show spanning-tree summary 

Switch is in pvst mode 




Root bridge for: none 

EtherChannel misconfiguration guard is enabled 
Extended system ID is enabled 
Portfast is disabled by default 

PortFast BPDU Guard is enabled by default 

Portfast BPDU Filter is disabled by default 
Loopguard is disabled by default 

UplinkFast is disabled 

BackboneFast is disabled 
Pathcost method used is short 

Name Blocking Listening Learning Forwarding STP Active 

Total 0000 0 

To further verify your configuration, you can enable a port in VLAN 100 - that has a device connected to it 
- and issue the show spanning-tree interface command as follows: 

Swl#show spanning-tree interface fO/1 detail 

Port 1 (FastEthernetO/1) of VLAN0100 is forwarding 
Port path cost 19, Port priority 128, Port Identifier 128.1. 

Designated root has priority 32868, address 000d.bd06.4100 
Designated bridge has priority 32868, address 000d.bd06.4100 
Designated port id is 128.1, designated path cost 0 
Timers: message age 0, forward delay 0, hold 0 
Number of transitions to forwarding state: 1 
The port is in the portfast mode 
Link type is point-to-point by default 
Bpdu guard is enabled 
Bpdu filter is disabled by default 
BPDU: sent 11, received O 
Task 3: 

Swl(config)#spanning-tree portfast bpdufilter default 
Swl(config)#interface range fast 0/10 - 19 

Swl(config-if-range)#switchport mode access 
Swl(config-if-range)#spanning-tree portfast 

%Warning: portfast should only be enabled on ports connected to a single 




host. Connecting hubs, concentrators, switches, bridges, etc... to this 
interface when portfast is enabled, can cause temporary bridging loops. 
Use with CAUTION 


%Portfast will be configured in 10 interfaces due to the range command 
but will only have effect when the interfaces are in a non-trunking mode. 

Swl(config-if-range)#spanning-tree bpdufilter enable 

Swl(config-if-range)#exit 
Sw l(config)#exit 
Sw 1# 

Swl#show spanning-tree summary 

Switch is in pvst mode 
Root bridge for: none 

EtherChannel misconfiguration guard is enabled 
Extended system ID is enabled 
Portfast is disabled by default 

PortFast BPDU Guard is enabled by default 

Portfast BPDU Filter is enabled by default 

Loopguard is disabled by default 

UplinkFast is disabled 

BackboneFast is disabled 
Pathcost method used is short 

Name Blocking Listening Learning Forwarding STP Active 

Total 00000 

To further verify your configuration, you can enable a port in VLAN 100 - that has a device connected to it 
- and issue the show spanning-tree interface command as follows: 

Swl#show spanning-tree interface fO/12 detail 

Port 12 (FastEthernetO/12) of VLAN0200 is forwarding 
Port path cost 19, Port priority 128, Port Identifier 128.12. 

Designated root has priority 32968, address 000d.bd06.4100 
Designated bridge has priority 32968, address 000d.bd06.4100 
Designated port id is 128.12, designated path cost 0 
Timers: message age 0, forward delay 0, hold 0 
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The port is in the portfast mode 

Link type is point-to-point by default 
Bpdu guard is enabled by default 

Bpdu filter is enabled 
BPDU: sent 0, received 0 
Task 4: 

Swl(config)#interface range f0/20 - 24 
Swl(config-if-range)#description 'Currently not being used' 

Swl(config-if-range)#shutdown 

Swl(config-if-range)#spanning-tree guard root 

Swl(config-if-range)#exit 

Swl(config)#exit 

Swl# 

Task 5: 

Swl(config)#interface range gO/1 - 2 

Swl(config-if-range)#no shutdown 

Swl(config-if-range)#switchport mode trunk 

Swl(config-if-range)#switchport nonegotiate 

Swl(config-if-range)#exit 

Swl(config)#exit 

Swl# 

Swl#show interfaces gigabitethernet 0/1 switchport 

Name: GiO/1 
Switchport: Enabled 

Administrative Mode: trunk 

Operational Mode: down 

Administrative Trunking Encapsulation: dotlq 

Negotiation of Trunking: Off 

Access Mode VLAN: 1 (default) 

Trunking Native Mode VLAN: 1 (default) 

Voice VLAN: none 

Administrative private-vlan host-association: none 
Administrative private-vlan mapping: none 
Operational private-vlan: none 
Trunking VLANs Enabled: ALL 


Pruning VLANs Enabled: 2-1001 
Capture Mode Disabled 
Capture VLANs Allowed: ALL 

Protected: false 

Voice VLAN: none (Inactive) 

Appliance trust: none 

Lab 12 Configurations 
Swl Configuration 

Swl#show running-config 
Building configuration... 

Current configuration : 4260 bytes 
! 

version 12.1 
no service pad 

service timestamps debug uptime 
service timestamps log uptime 
no service password-encryption 
! 

hostname Swl 
! 

no logging console 
! 

ip subnet-zero 
vtp domain LAB12 
vtp mode transparent 
! 

spanning-tree mode pvst 
spanning-tree portfast bpduguard default 
spanning-tree portfast bpdufilter default 
no spanning-tree optimize bpdu transmission 
spanning-tree extend system-id 



vlan 100 


name CATALYST_VLAN_100 
! 

vlan 200 

name CATALYST_VLAN_200 
! 

interface FastEthernetO/1 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 
! 

interface FastEthernetO/2 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 
! 

interface FastEthernetO/3 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 
! 

interface FastEthernetO/4 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 



interface FastEthernetO/5 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 
! 

interface FastEthernetO/6 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 
! 

interface FastEthernetO/7 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 
! 

interface FastEthernetO/8 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 
! 

interface FastEthernetO/9 
switchport access vlan 100 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpduguard enable 



interface FastEthernetO/lO 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 
! 

interface FastEthernetO/11 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 
! 

interface FastEthernetO/12 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 
! 

interface FastEthernetO/13 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 
! 

interface FastEthernetO/14 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 



interface FastEthernetO/15 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 
! 

interface FastEthernetO/16 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 
! 

interface FastEthernetO/17 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 
! 

interface FastEthernetO/18 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 
! 

interface FastEthernetO/19 
switchport access vlan 200 
switchport mode access 
no ip address 
spanning-tree portfast 
spanning-tree bpdufilter enable 



interface FastEthernet0/20 
description 'Currently not being used' 
no ip address 
shutdown 

spanning-tree guard root 
! 

interface FastEthernetO/21 
description 'Currently not being used' 
no ip address 
shutdown 

spanning-tree guard root 
! 

interface FastEthernetO/22 
description 'Currently not being used' 
no ip address 
shutdown 

spanning-tree guard root 
! 

interface FastEthernetO/23 
description 'Currently not being used' 
no ip address 
shutdown 

spanning-tree guard root 
! 

interface FastEthernetO/24 
description 'Currently not being used' 
no ip address 
shutdown 

spanning-tree guard root 
! 

interface GigabitEthernetO/1 
switchport mode trunk 
switchport nonegotiate 
no ip address 



interface GigabitEthernetO/2 
switchport mode trunk 
switchport nonegotiate 
no ip address 
! 

interface Vlanl 
no ip address 
no ip route-cache 
shutdown 
! 

ip http server 
! 

! 

line con 0 
line vty 5 15 
! 

end 
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